We have below requirement:
We are creating B2C users (with random password) using Graph API from our Asp.Net Core Web API.
We want to send welcome email to the user along with some link so that user can directly launch the "Password Reset" page and then can login to his application after setting the password.
As per my research, Different Solutions and their cons:
User login and follow the forgot password journey from login but that's bit annoying for new users. How would they know that they have to follow forgot password journey on 1st login.
Implement "Forced to reset password on 1st Login" policy - but for this policy, user should know his initial password.
Using REST API - we can't use REST api in custom policy as we are creating user using Graph API.
Is there any better way to send email to user on creation(using graph API)?
Any help is much appreciated.
Thanks in advance,
Anu
You can send out an "invite" link via email after creating the account via Graph API, which, when the user opens from their inbox, they can use it to set a new password at AAD B2C, and are immediately logged in to the app once completed (or you can do other things in the journey if you like).
This uses the id_token_hint concept demonstrated here.
Related
I have integrated API connector on an Azure B2C Sign Up User Flow to enrich token with a custom attribute from a REST API call. Works great! When user log in, custom attribute is correctly present in token.
Then, I have enabled Self-service password reset, following documentation. And now, if during Sign Up journey user clicks on "Forgot your password?" link and changes his password, at the end he get signed up (and password has been changed) but API connector has not been called and custom attribute is not present in token.
Did I miss something or is this scenario not supported by User flows?
Thanks for your help
As per docs:
There are three places in a user flow where you can enable an API connector:
After federating with an identity provider during sign-up - applies to sign-ups experiences only
Before creating the user - applies to sign-ups experiences only
Before sending the token (preview) - applies to sign-ups and sign-ins
When you click on "Forgot your password?", this takes you on a different flow.
Not sign-up or sign-in.
I am struggling to get my head around how to implement a custom policy for the following flow:
User lands on the login page and that login page only contains an email input.
User enters email address and clicks continue
if user has already registered
Redirected to their selected login provider (Google, Microsoft Account or Local Account)
if user has not registered before
Check google provider if a user account exists for that email address
if Google account exists
Redirect to Google login
Check Microsoft provider if a user account exists for that email address
if Microsoft account exists
Redirect to Microsoft login
else
Redirect to registration screen
User completes registration screen
User is automatically logged in
The user
I've investigated whether this can in fact be done and I've found a "digital workspace for visual collaboration" (a.k.a Mural.co) that does in fact implement a similar flow, so this has to be possible. See the pictures below.
I'm, however, unable to find information on
how to query the social providers for account existence
how to go about creating this complex type of flow in Azure AD B2C custom policies.
Any pointers in the right direction would be greatly appreciated
Not possible. Nobody would allow you to probe a social IdP for an email. Data protection etc.
Reference our samples and wiki
Your sign up would be from our default sign up journey.
Your sign in flow could work like this:
Request for email
Read the directory to see if an email exists
If email exists, send the user to the IdP they used to sign up. You can do that by looking at the “issuers” registered on the userIdentity object,
If email doesn’t exist, send the user to the combined sign in and sign up page (technical profile) where they can sign in with social or sign up with a local account. Hide the sign in elements with CSS.
Using Azure AD B2C with 'Email' specified for the user id.
I've tested the 'Sign up' and 'Sign up v2' user flows in Azure AD B2C. Both of these require the user to verify their email address by sending/entering a verification code. I've enabled MFA for both of these flows, so the mobile number needs to get verified as well.
The product guys have asked if its possible for email verification to be done asynchronously e.g. an email getting sent to the user, but they can verify this (e.g. via a hyperlink in the email) in their own time without having to enter a verification code during the registration process. Is this possible?
FYI. I think the reasoning from the product guys is that MFA via SMS to their mobile is enough. Multiple verifications (i.e. for email AND mobile) is a bit too much in terms of the UX...
One potential solution.
It's possible to disable email verification:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-disable-ev
Can then do and then do external orchestration to send async email. When they click on the link, we can update the verification status via MS Graph API. Don't love this solution, but it's an option...
I have an asp.net web application that authenticates via Azure AD B2C tenant. I have a sign-up-sign-in policy [login is using username instead of email] with MFA turned on. I have also setup Custom UI login page [unified.html] and MFA page [phonefactor.html] in a storage blob that the policy points to. I am able to authenticate the user via the custom login page and login with MFA. The issue is when I create a new user and force the user to change the password at their first login, instead of redirecting the user to the change password screen, I am getting an invalid username and password message. When I use the Sign-In policy instead of sign-up-sign-in, the redirection to change the password works for the new user. But the sign-in policy does not have the option to specify Custom UI for login page. Am I missing anything here and how can I make this work with the sign-up-sign-in policy.
Also is there any way to get the "Password" hint like the "Username" hint in the company branding ... Password hint is not available
forceChangePasswordNextLogin only works on the sign-in policy which does not support UI customization.
In order to achieve similar functionality in the unified sign-up/sign-in policy, you'll need to implement this functionality yourself.
One option to achieve similar (albeit not quite the same) functionality is by leveraging the Password Reset policy. You would be creating new users up-front and ensuring you configure their email. You then direct them straight to the Password Reset policy for their account activation. They'll receive an email with a code which once provided, will let them provide set their password.
There's already two outstanding feature asks in the Azure AD B2C Feedback Forum that you can support:
Support Force Password Reset
Fully Customizable Sign-In Page
UPDATE
For the DIY approach:
Create the users by setting up an Azure AD app for your back-end API as outlined here:
https://learn.microsoft.com/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
Have your back-end API call the Graph API like this app does to create the users: https://github.com/AzureADQuickStarts/B2C-GraphAPI-DotNet.git
Send the users directly to the reset password URL /authorize/ url..
I would like to pre-register a limited number of users which can use my application.
This are the requirements:
Users should be able to reset their password on their own
No other users than the preregistered users can sign up
Ideally, the user can choose the login email address by himself (no #app.onmicrosoft.com login).
Now I'm having trouble to have all requirements fullfilled together.
I was able to preregister #app.onmicrosoft.com users in the Azure Portal. But since the user can't get emails on #app.onmicrosoft.com, a password-reset-policy would not make sense. I tried to specify alternate-email and a phonenumber in the user-profile, but unfortunately the password-reset-policy is not using it for verification.
Let's say I create a sign-up policy: This is nice - the user choose his own email. Password resetting would also work. However, I can't control who's signing up and getting valid access tokens. In the portal, under Enterprise Applications, I found my registered application (All Applications) where I can set an option "User assignment required?" to true. But this does not seem to work in the B2C context, right? I expected, that until I assign a user to this application, the user is not getting a token on sign-in, but this wasn't the case. Here I found a similar question about creating users. Any advice on creating users including passwords etc. using Microsoft Graph (since it's recommended to use it over Graph API)?
I also tried to invite users as guests. They have to create a microsoft account, resetting passwords would be solved through microsoft, but unfortunately, no redirect to microsoft login happens after entering the microsoft account email address.
Deleting the signup policy after initial registration is a bad option if more users have to be onboarded.
Ideally, I would like to preregister users as if they signed up by their own - but with no signup policy.
Any advice? What do I miss?
You can implement the activation/invitation scenario that is described here and implemented here.
This scenario activates/invites a new user by creating/pre-registering a local account in the Azure AD B2C directory through the Azure AD Graph and then sending a signed redemption link to the email address for this local account.
This redemption link directs the new user to the Password Reset policy.
Currently creating users in a B2C tenant with a "local account" is not supported in Microsoft Graph. For this you'll need to use Azure AD Graph for now (see creating a user with a local account). Please see this blog post for details and line item 12 in the table.
We hope to add this capability as soon as we can to Microsoft Graph.
Hope this helps,